In the Linux kernel, the following vulnerability has been resolved:
vt_ioctl: fix array_index_nospec in vt_setactivate
array_index_nospec ensures that an out-of-bounds value is set to zero
on the transient path. Decreasing the value by one afterwards causes
a transient integer underflow. vsa.console should be decreased first
and then sanitized with array_index_nospec.
Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh
Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU
Amsterdam.
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/tty/vt/vt_ioctl.c"
],
"versions": [
{
"version": "1da177e4c3f4",
"lessThan": "830c5aa302ec",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f4",
"lessThan": "2a45a6bd1e6d",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f4",
"lessThan": "170325aba460",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f4",
"lessThan": "ae3d57411562",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f4",
"lessThan": "778302ca0949",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f4",
"lessThan": "ffe54289b02e",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f4",
"lessThan": "6550bdf52846",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f4",
"lessThan": "61cc70d9e8ef",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/tty/vt/vt_ioctl.c"
],
"versions": [
{
"version": "4.9.302",
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.14.267",
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.19.230",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.4.180",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.10.101",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.15.24",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.16.10",
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.17",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]
git.kernel.org/stable/c/170325aba4608bde3e7d21c9c19b7bc266ac0885
git.kernel.org/stable/c/2a45a6bd1e6d651770aafff57ab3e1d3bb0b42e0
git.kernel.org/stable/c/61cc70d9e8ef5b042d4ed87994d20100ec8896d9
git.kernel.org/stable/c/6550bdf52846f85a2a3726a5aa0c7c4399f2fc02
git.kernel.org/stable/c/778302ca09498b448620edd372dc908bebf80bdf
git.kernel.org/stable/c/830c5aa302ec16b4ee641aec769462c37f802c90
git.kernel.org/stable/c/ae3d57411562260ee3f4fd5e875f410002341104
git.kernel.org/stable/c/ffe54289b02e9c732d6f04c8ebbe3b2d90d32118